Jul 10 2020 02:08 AM
Hi.
Regarding the ReportID for AdvancedHunting, the Docs states the following.
"""
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.
"""
When will the Report ID be repeated?
I want to identify the event using the ReportID and Table listed in the DeviceAlertEvent.
But multiple ReportIDs exist on the same device and cannot be identified.
Maybe I need to narrow down the Timestamp.
Is there a better way?
Thanks,